Allowing only specified users to access Cloud Firestore

July 31, 2019

I’ve been building a few apps recently that leverage Cloud Firestore for data storage. These are personal apps and don’t store anything particularly sensitive, though that is no reason to leave them in the default development configuration that let’s anyone read/write everything.

Although in many projects I’m the only user, there are handful of others where a few people are using the app. A fairly flexible configuration approach that I use as my default is to only allow access if the user is in an ‘allow list’.

I’ll show the steps needed to do this below, the pre-requisites are:

Cloud Firestore enabled for the project

Authentication configured for the project with at least one user authenticated

Every user you want to grant access will need to authenticate with the project as we’re using their firebase User UID, which is unique to each project

Implementing an allow list in Firestore

To make this work we’re going to create a security rule which will allow users to read/write any part of the database only if they exist in a specific collection, which we will manually populate.

To get started you’ll need the User UID of a user who has previously authenticated with the project. In the example below I’m using testuser.

Create a new collection called allow-users and for the first document specify the User UID as the document ID. No need to add any fields (though I’ve found adding a friendly name to remember what the UIDs map to is helpful).

Now configure your Firestore security rules. If you’re using the Firebase CLI you would deploy these using a firebase.rules file, or you can paste into the console and publish.